Mobile App as FIDO Authenticator

[Tanmay Sawant]

Hello, I am exploring a use case of using  mobile app as FIDO authenticator (as FIDO key) on iOS/Android devices and need some help:

1. What are the specifications that we need to follow and are there any related workflows?

2. Are there any existing mobile applications that work as FIDO key to access resources on  desktop?

3. Anyone who has done this before can share technical details/architecture?

Any help regarding this is much appreciated!

[Arshad Noor]

If your goal is to use the mobile device as an authenticator for *only*
mobile rich client applications, you're welcome to take a look at our
open-source Android library that delivers FIDO2 capability with
AndroidKeystore Attestation, leveraging the TEE/Secure Element on the
device with biometrics and Secure Display for digitally signed
transactions (besides just FIDO2 registration/authentication):

https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl

However, the Android library will only work with our open-source FIDO
Certified server at https://github.com/StrongKey/fido2 because no other
server currently supports AndroidKeystore Attestation to the best of my
knowledge. If I'm wrong, I'm sure someone will correct me on this thread.

Arshad Noor
StrongKey

> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/17ede9ab-1bb5-4746-9222-4aba8ceb73fdn%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/17ede9ab-1bb5-4746-9222-4aba8ceb73fdn%40fidoalliance.org?utm_medium=email&utm_source=footer>.

[Shane Weeden]

Ok. I’ll bite. There are definitely other server technologies that support Android Keystore attestation albeit commercial and not open source.

Also with respect to mobile phone as a FIDO authenticator it would be useful to understand the use case a bit more. I’d the use case is for browser based login on a laptop for example, both Android and iOS* can support that today using the regular camera app. The iOS caveat is that it has been announced for GA as part of iOS 16 but can be enabled via a developer option in existing iOS 15.

Sent from my iPhone

> On 14 Jun 2022, at 9:09 pm, Arshad Noor <arsha...@strongkey.com> wrote:
>
> If your goal is to use the mobile device as an authenticator for *only* mobile rich client applications, you're welcome to take a look at our open-source Android library that delivers FIDO2 capability with AndroidKeystore Attestation, leveraging the TEE/Secure Element on the device with biometrics and Secure Display for digitally signed transactions (besides just FIDO2 registration/authentication):

> To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
> To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4c4d7057-8174-d76d-7856-06313873990c%40strongkey.com.

[Tanmay Sawant]

Thank you, Shane and Arshad. Let me clarify the use case a little bit. Here I am trying to access the web application (e.g O365) on my laptop/desktop and during the authentication process, I want to use mobile application (In place of hardware FIDO key) to complete the FIDO2 authentication. I believe to achieve this, we need to first register the mobile device/app with the desktop by using some kind of software or hardware like the Bluetooth pairing device.

Let me know if I am missing something. Also copying my original questions again:

1. What are the specifications that we need to follow and are there any related workflows?

2. Are there any existing mobile applications that work as FIDO key to access resources on the desktop?

3. Anyone who has done this before can share technical details/architecture?

[Shane Weeden]

For 2FA use cases there is nothing special you need to do. In fact you can use your Android phone today for this use case with GitHub, Facebook, etc as a security key. With iOS you either have to wait till iOS 16 comes out or turn on synching WebAuthn credentials via a developer setting. Just use the normal camera app and the “add a phone” option when registering a security key from Chrome  or Safari on the laptop. 

Sent from my iPhone

On 14 Jun 2022, at 10:39 pm, Tanmay Sawant <tanmay...@gmail.com> wrote:

Thank you, Shane and Arshad. Let me clarify the use case a little bit. Here I am trying to access the web application (e.g O365) on my laptop/desktop and during the authentication process, I want to use mobile application (In place of hardware FIDO key) to complete the FIDO2 authentication. I believe to achieve this, we need to first register the mobile device/app with the desktop by using some kind of software or hardware like the Bluetooth pairing device.

[John Bradley]

If the application is O365 then you are likely limited by the authenticators supported by AzureAD.   At the moment I believe packed and TPM attestations are the only ones supported.  

AzureAD also requires discoverable credentials.   

You might be able to disable attestation checking in Azure but that has other risks.  

You could theoretically build a soft Authenticator that would work, but it would be a large project. 

John B. 

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/ABB77B4E-72E9-4BE1-83A8-BC425E87D3CC%40gmail.com.

[Arshad Noor]

@Shane, thanks for the update. I presume you're speaking from personal
knowledge/experience on the commercial implementation, and not hearsay.

@Tanmay, the specific use-case you've described (using the mobile device
to authenticate to a desktop application) is not one that StrongKey is
currently focused on. As I mentioned in my earlier message, the use-case
our Android library targets, is for authenticating users to rich client
apps running on the mobile device. Sorry.

Arshad

[Philipp Junghannß]

I'll also throw one into the mix.

As far as i read android keystore attestation is using the alg id android-key which is also supported by

https://github.com/lbuchs/WebAuthn

Regards

My1

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/493FC446-77DA-49E2-8278-049C2903D000%40gmail.com.

[Tanmay Sawant]

Thank you, everyone! 

So, I already have an iOS/Android mobile application that generates OTP code (similar to google authenticator, duo etc). I want to enhance this mobile app so that it can also work as a FIDO roaming authenticaor. I know several companies have achieved this (e.g HYPE, Akamai, Idmelon etc). I am looking for implementation details for this change.

Thanks!

[Hassan Seifi]

All you need is to implement CTAP on the Android and iOS based on standard (and Bluetooth) that I would suggest always to go native (Swift/Java) especially when it comes to the stability of Bluetooth, and using other OS-backed cryptography resources.

Can you be more specific on "Implementation details", so I can provide more help?

Thanks, Hassan

[Tim Cappalli]

Why would you implement CTAP when you can just call the system FIDO2 APIs?

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/12f183a7-2356-437b-935a-633fd80d0683n%40fidoalliance.org.

[Hassan Seifi]

This is a dream. Do you mean the third party app can access FIDO credentials stored by OS native passkey?

Or you mean, the app itself, to register a fido credential there for its own access?

Thanks, Hassan

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/MN2PR00MB0480830AA87903B649B104F695BB9%40MN2PR00MB0480.namprd00.prod.outlook.com.

--

Thanks, Hassan

[Tim Cappalli]

I'm not sure I fully understand your question. The system FIDO APIs are nearly identical to the WebAuthn browser API. You create a credential for an origin and can then request an assertion for that same origin (bound to your app) for authenticating the user.

 

 

Android sample: security-samples/Fido at main · android/security-samples (github.com)

Android docs: FIDO2 API for Android  |  Google Identity  |  Google Developers

Apple docs: Public-Private Key Authentication | Apple Developer Documentation

 

 

tim

[Hassan Seifi]

I am just reading the title which is about general Authenticator on phone. But, in case the OTP app, is supposed to handle authentication for one RP/URL, definitely that can issue a request to native API. 

Thanks, Hassan

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/MN2PR00MB04803E6277D6EF03369BCAFB95BB9%40MN2PR00MB0480.namprd00.prod.outlook.com.

--

Thanks, Hassan

[Tim Cappalli]

Yup, you're right. My apologies. Too much multitasking :)

---

From: Hassan Seifi <seif...@gmail.com>
Sent: Tuesday, June 28, 2022 21:21
To: Tim Cappalli <Tim.Ca...@microsoft.com>
Cc: Arshad Noor <arsha...@strongkey.com>; FIDO Dev (fido-dev) <fido...@fidoalliance.org>; My1 <teamhyd...@gmail.com>; Shane Weeden <shane....@gmail.com>; tanmay...@gmail.com <tanmay...@gmail.com>

[Anders Rundgren]

If you create a FIDO authenticator using the regular authenticatorMakeCredential in a browser application, it seems to be impossible to reuse such credentials from a native Android App.   In Windows it works out of the box.